Difference between revisions of "Windows SuperFetch Format"

From Forensics Wiki
Jump to: navigation, search
(File header)
(File header)
(One intermediate revision by one user not shown)
Line 85: Line 85:
 
| 4
 
| 4
 
|  
 
|  
| Unknown
+
| Maximum number of records (of the record offsets array)
 
|-
 
|-
 
| 16
 
| 16
Line 95: Line 95:
 
| ...
 
| ...
 
|  
 
|  
| Array of record offsets, where the record offset is a 32-bit integer.
+
| Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.
 
|-
 
|-
 
|}
 
|}

Revision as of 00:46, 15 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Contents

MEMO file

Some of the Ag*.db files are MEMO files.

The MEMO file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO") Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

Uncompressed data

TODO

TRX file

The Ag*.db.trx files are TRX files.

Note that the following format specification is incomplete.

File header

The file header is variable of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Maximum number of records (of the record offsets array)
16 4 Number of records
20 ... Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.

See Also

External Links